global
  log     /dev/log  local0
  log     /dev/log  local1 notice
  chroot  /var/lib/haproxy
  stats   socket /run/haproxy.sock mode 660 level admin
  stats   timeout 30s
  user    haproxy
  group   haproxy
  daemon

  # Default SSL material locations
  ca-base   /etc/ssl/certs
  crt-base  /etc/ssl/private

  # Default ciphers to use on SSL-enabled listening sockets.
  # For more information, see ciphers(1SSL). This list is from:
  #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
  ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
  ssl-default-bind-options no-sslv3

defaults
  log       global
  mode      tcp
  option    tcplog
  option    dontlognull
  timeout   connect 5000
  timeout   client  50000
  timeout   server  50000
  option    tcpka
  option    clitcpka
  option    srvtcpka
  option    tcp-check
{% if ansible_os_family == 'Debian' %}
  errorfile 400 /etc/haproxy/errors/400.http
  errorfile 403 /etc/haproxy/errors/403.http
  errorfile 408 /etc/haproxy/errors/408.http
  errorfile 500 /etc/haproxy/errors/500.http
  errorfile 502 /etc/haproxy/errors/502.http
  errorfile 503 /etc/haproxy/errors/503.http
  errorfile 504 /etc/haproxy/errors/504.http
{% endif %}

{% for item in haproxy_backends if item.expose|bool == true %}
listen {{ item.name | replace('.', '-') }}
  bind    0.0.0.0:{{ item.front_port }}
  server  {{ item.name }} {{ item.name }}.service.{{ consul_dc_name }}.consul:{{ item.back_port }} check fastinter 5000 downinter 30000 fall 2
{% endfor %}
